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Abstract 

Partial  types  allow  the  reasoning  about  partial  functions  in  type  theory.  The  partial  functions 
of  main  interest  are  recursively  computed  functions,  which  are  commonly  assigned  types  using 
fixpoint  induction.  However,  fixpoint  induction  is  valid  only  on  admissible  types.  Previous  work 
ha s  shown  many  types  to  be  admissible,  but  has  not  shown  any  dependent  products  to  be  admissible. 
Disallowing  recursion  on  dependent  product  types  substantially  reduces  the  expressiveness  of  the 
logic;  for  example,  it  prevents  much  reasoning  about  modules,  objects  and  algebras. 

In  this  paper  I  present  two  new  tools,  predicate- admissibility  and  monotonicity ,  for  showing  types 
to  be  admissible.  These  tools  show  a  wide  class  of  types  to  be  admissible;  in  particular,  they  show 
many  dependent  products  to  be  admissible.  This  alleviates  difficulties  in  applying  partial  types  to 
theorem  proving  in  practice.  I  also  present  a  general  least  upper  bound  theorem  for  fixed  points 
with  regard  to  a  computational  approximation  relation,  and  show  an  elegant  application  of  the 
theorem  to  compactness. 
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1  Introduction 


One  of  the  earliest  logical  theorem  provers  was  the  LCF  system  [12],  based  on  the  logic  of  partial 
computable  functions  [21,  22].  Although  LCF  enjoyed  many  groundbreaking  successes,  one  problem 
it  faced  was  that,  although  it  supported  a  natural  notion  of  partial  function,  it  had  difficulty 
expressing  the  notion  of  a  total  function.  Later  theorem  provers  based  on  constructive  type  theory, 
such  as  Nuprl  [5],  based  on  Martin-Lof  type  theory  [19],  and  Coq  [3],  based  on  the  Calculus  of 
Constructions  [10],  faced  the  opposite  problem;  they  had  a  natural  notion  of  total  functions,  but 
had  difficulty  dealing  with  partial  functions.  The  lack  of  partial  functions  seriously  limited  the 
scope  of  those  theorem  provers,  because  it  made  them  unable  to  reason  about  programs  in  real 
programming  languages  where  recursion  does  not  always  necessarily  terminate. 

This  problem  was  addressed  by  Constable  and  Smith  [8],  who  introduced  into  their  type  theory  the 
partial  type  T,  which  is  like  a  “lifted”  version  of  T.  The  type  T  contains  all  members  of  T  as  well 
as  all  divergent  terms.  Using  the  partial  type,  partial  functions  from  A  to  B  may  be  given  the  type 
A  -4  B.  That  is,  when  applied  to  an  argument  in  A,  such  a  function  either  diverges  or  converges 
to  a  result  in  B . 

In  a  partial  type  theory,  recursively  defined  objects  may  be  typed  using  the  fixpoint  principle:  if 
/  has  type  T  T  then  fix(f)  has  type  T.  However,  the  fixpoint  principle  is  not  valid  for  every 
type  T;  it  is  only  valid  for  types  that  are  admissible.  This  phenomenon  was  not  unknown  to  LCF; 
LCF  used  the  related  device  of  fixpoint  induction,  which  was  valid  only  for  admissible  predicates. 
When  the  user  attempted  to  invoke  fixpoint  induction,  the  system  would  automatically  check  that 
the  goal  was  admissible  using  a  set  of  syntactic  rules  [16]. 

Despite  their  obvious  uses  in  program  analysis,  partial  types  have  seen  little  use  in  theorem  proving 
systems  [9,  4,  2].  This  is  due  in  large  part  to  the  fact  that  too  few  types  have  been  known  to  be 
admissible.  Smith  [24]  gave  a  significant  class  of  admissible  types  for  a  NuprLlike  theory,  but  his 
class  required  product  types  to  be  non-dependent.  The  type  Y>x:A.B  (where  x  appears  free  in  B) 
was  explicitly  excluded.  Later,  Smith  [23]  extended  his  class  to  include  some  dependent  products 
E x:A.B,  but  disallowed  any  free  occurrences  of  x  to  the  left  of  an  arrow  in  B .  Partial  type  extensions 
to  Coq  [2]  were  also  restrictive,  assuming  function  spaces  to  be  the  only  type  constructor.  These 
restrictions  are  quite  strong;  dependent  products  are  used  in  encodings  of  modules  [18],  objects  [20], 
algebras  [17],  and  even  such  simple  devices  as  variant  records.  Furthermore,  ruling  out  dependent 
products  disallows  reasoning  using  fixpoint  induction  as  in  LCF  [24,  11].  Finally,  the  restriction  is 
particularly  unsatisfying  since  most  types  used  in  practice  do  turn  out  to  be  admissible,  and  may 
be  shown  so  by  metatheoretical  reasoning. 

In  this  paper  I  present  a  very  wide  class  of  admissible  types  using  two  devices,  a  condition  called 
predicate-admissibility  and  a  monotonicity  condition.  In  particular,  many  dependent  products  may 
be  shown  to  be  admissible.  Predicate-admissibility  relates  to  when  the  limit  of  a  chain  of  type 
approximations  contains  certain  terms,  whereas  admissibility  relates  to  the  membership  of  a  single 
type.  The  term  “predicate-admissibility”  stems  from  its  similarity  to  the  notion  of  admissibility 
of  predicates  in  domain  theory  (and  LCF) ,  where  there  has  been  considerable  research  (this  work 
was  influenced  by  Igarashi  [16],  for  example),  but  I  will  not  discuss  the  connection  in  this  paper. 
Monotonicity  is  a  simpler  condition  that  will  be  useful  for  showing  types  admissible  that  do  not 
involve  partiality. 
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Figure  1:  Type  Theory  Syntax 


The  paper  is  organized  as  follows:  In  Section  2  I  lay  out  the  theory  for  which  these  results  are 
formalized.  In  Section  3  I  prove  some  computational  lemmas  needed  for  the  admissibility  results. 
The  primary  result  is  a  least  upper  bound  theorem  for  fixed  points  with  regard  to  a  computational 
approximation  relation.  This  result  is  quite  general,  and  may  be  applied  more  widely  than  just  to 
the  purposes  for  which  I  use  it.  I  present  my  main  results  in  Section  4,  beginning  with  a  summary 
of  Smith  s  original  admissibility  class  and  then  widening  the  class  using  predicate-admissibility  and 
monotonicity.  Concluding  remarks  appear  in  Section  5. 


2  The  Type  Theory 

The  type  theory  in  which  I  formalize  the  results  of  this  paper  is  a  variant  of  the  Nuprl  type  theory 
[5]  extended  with  partial  types  (that  is,  types  containing  possibly  divergent  objects).  This  theory  is 
a  subset  of  the  type  theory  of  Crary  [11]  and  is  similar  to  Smith’s  theory  [24].  The  major  difference 
between  the  theory  used  here  and  Smith’s  is  that  the  latter  does  not  provide  a  notion  of  equality; 
the  ramifications  of  handling  equality  are  discussed  in  Crary  [11]. 

2.1  Preliminaries 

As  data  types,  the  theory  contains  natural  numbers  (denoted  by  N),  disjoint  unions  (denoted  by 
Ti  +  T2),  dependent  products1  (denoted  by  ^x:Tx.T2),  and  dependent  function  spaces  (denoted  by 
Ux:Ti.T2).  When  x  does  not  appear  free  in  T2, 1  write  Tx  xT2  for  Ex:Tx.T2  and  TX^T2  for  ILr:7i.T2. 
As  usual,  alpha-equivalent  terms  are  considered  identical.  When  t\  and  t2  are  alpha-equivalent,  I 
write  t\  =  t2. 

Types  themselves  are  terms  in  the  theory  and  belong  to  a  predicative  hierarchy  of  universes, 

These  are  sometimes  referred  to  in  the  literature  as  dependent  sums,  but  I  prefer  the  terminology  to  suggest  the 
connection  to  the  non-dependent  type  T\  x  T2. 
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UbU2,  U3,  etc.  The  universe  Ui  contains  all  types  built  from  the  base  types  only  ( i.e built 
without  universes),  and  the  universe  Ut*+i  contains  all  types  build  from  the  base  types  and  the 
universes  Ui, . .  .,U*.  In  particular,  no  universe  is  a  member  of  itself.  Propositions  are  interpreted 
as  types  using  the  propositions- as- types  principle  [14],  but  that  will  only  be  relevant  in  Section  4.3. 

Each  type  T  comes  with  an  intrinsic  equality  relation  denoted  by  t\  —  t2  €  T.  Membership  is  also 
derived  from  this  relation;  t  €  T  when  t  =  t  6  T.  The  equality  relation  is  introduced  into  the  type 
theory  as  the  type  t1  =  t2  in  T,  which  is  inhabited  by  the  term  *  when  t\  =  t2  €  T  and  is  enjpty 
otherwise,  provided  that  ti,t2  €  T.  If  either  of  t±  or  t2  does  not  belong  to  T,  then  t\  =  t2  in  T  is 
not  well-formed.  (Note  that  t\  —  t2  G  T  is  a  metatheoretical  assertion  whereas  t\  =  t2  in  T  is  a 
type  in  the  theory.)  The  empty  type  Void  is  defined  as  0  =  1  in  N. 

The  partial  type  T  is  like  a  “lifted”  version  of  T;  it  contains  all  the  members  of  T  as  well  as  all 
divergent  terms.  Partial  functions  from  A  to  B  may  then  be  given  the  type  A-+  B.  Two  terms  are 
equal  in  T  if  they  both  diverge,  or  if  they  both  converge  apd  are  equal  in  T . 

Convergence  is  expressed  within  the  type  theory  by  the  type  t  in!  T,  which  is  inhabited  by  the 
term  *  when  t  6  T  and  t  converges,  and  is  empty  if  t  6  T  but  t  does  not  converge.  If  t  £  T  then 
t  in!  T  is  not  well-formed.  (Again,  note  that  t  in!  T  is  a  type  in  the  theory,  but  convergence,  which 
is  defined  formally  below,  is  a  metatheoretical  assertion.) 


2.2  Computation 

Underlying  the  type  theory  is  the  computation  system  shown  in  Figure  2.  The  computation  system 
is  defined  by  a  small-step  evaluation  relation  (denoted  by  ti  ^  t2 ),  and  a  set  of  canonical  terms. 
Whether  a  term  is  canonical  is  governed  by  its  outermost  operator;  the  canonical  terms  are  those 
appearing  in  the  first  and  second  columns  of  Figure  1.  The  computation  system  is  call-by-name 
and  contains  operators  for  constructing  and  destructing  functions,  pairs  and  disjoint  unions.  The 
computation  system  also  contains  various  standard  operations  for  computing  and  analyzing  natural 
numbers,  but  these  are  not  particularly  interesting  and  are  omitted  from  Figure  2.  Of  particular 
interest  is  the  operator  fix ,  which  allows  the  recursive  definition  of  objects  is  evaluated  by  the  rule 
fix(f )  «->■  f(fix(f)).2  Two  important  properties  of  evaluation  are  that  evaluation  is  deterministic 
and  canonical  forms  are  terminal: 

Proposition  1  If  t  t1  and  1 1-»  t2  then  t\  =  t2.  Moreover,  if  t  is  canonical  then  t  tf  for  any  t\ 

If  t  i  t*  and  tf  is  canonical  then  I  say  that  t  converges  (abbreviated  tl)  and  t  converges  to  t* 
(abbreviated  t  ^  £').  Note  that  if  £  ^  ti  and  t  t2  then  t\  =  t2  and  that  if  t  is  canonical  then  t  ^  t. 

The  computation  system  is  used  in  Figure  3  to  define  the  relation  t\  =  t2  G  T,  which  specifies 
the  memberships  of  types  and  when  terms  are  equal  in  those  types.3  This  equality  relation  is 
constructed  to  respect  evaluation:  if  t  G  T  and  1 tf  then  t  =  tf  6  T. 

2  The  use  of  a  fix  operator  greatly  simplifies  the  presentation  of  these  results  (particularly  the  proof  of  Theorem  8), 
but  it  could  be  eliminated  and  replaced  with  the  Y  combinator.  Similarly,  the  choice  of  a  call-by-name  computation 
system  simplifies  the  formalism,  but  is  also  not  critical  to  the  results. 

3 Since  the  definition  contains  negative  occurrences  of  ti  =  t2  £  T,  it  is  not  immediately  clear  that  it  is  a  valid 
definition.  Allen  [1]  and  Harper  [13]  have  shown  how  such  a  definition  may  be  converted  to  a  conventional  inductive 
definition. 
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/  *-$•  f  t  t— >•  t'  t  t' 

f  et->  f  e  n i(t)  i->-  7Ti(t')  case(t,  a:.ei,  x.e2)  >->■  case(t',  x.ei,  x.e2) 

(A x.e)t  i->-  e[t/x]  ^((^1,^2))  •->  U  case(m;,(t),  x.ei,  x.e2)  i-f  ei[t/x] 

Figure  2:  The  Computation  System 

2.3  The  Fixpoint  Principle 

The  centra]  issue  of  this  paper  is  the  fixpoint  principle: 

fer^T  =>fix(f)eT 

The  fixpoint  principle  allows  us  to  type  recursively  defined  objects,  such  as  recursive  functions. 
Unfortunately,  unlike  in  programming  languages,  where  the  principle  can  usually  be  invoked  on 
arbitrary  types,  expressive  type  theories  such  as  the  one  in  this  paper  contain  types  for  which  the 
fixpoint  principle  is  not  valid.  I  shall  informally  say  that  a  type  is  admissible  if  the  fixpoint  principle 
is  valid  for  that  type  and  give  a  formal  definition  in  Section  4.  To  make  maximum  use  of  a  partial 
type  theory,  one  wants  as  large  a  class  of  admissible  types  as  possible. 

In  Section  4  I  will  explore  two  wide  classes  of  admissible  types,  one  derived  from  a  predicate- 
admissibility  condition  and  another  derived  from  a  monotonicity  condition.  But  first,  it  is  worth¬ 
while  to  note  that  there  are  indeed  inadmissible  types: 

Theorem  2  There  exist  inadmissible  types. 

Proof  Sketch 

This  example  is  due  to  Smith  [24].  Let  T  be  the  type  of  functions  that  do  not  halt  for  all 
inputs,  and  let  /  be  the  function  that  halts  on  zero,  and  on  any  other  n  immediately  recurses 
with  n  —  1.  This  is  formalized  as  follows: 

T  d=  Eh:(N-4  N).  ((Ylx:N.hxin\  N)  Void) 

def 

/  =  Xp.(Xx.  if  x  =  0  then  0  else  7Tj  {p)(x  —  1),  A y. *) 

Intuitively,  any  finite  approximation  of  fix{f)  will  recurse  some  limited  number  of  times  and 
then  give  up,  placing  it  in_T,  but  fix(f)  will  halt  for  every  input,  excluding  it  from  T.  Formally, 
the  function  /  has  type  T  — >■  T,  but  fix(f)  £  T.  (The  proof  of  these  two  facts  appears  in 
Appendix  A.)  Therefore  T  is  not  admissible. 

3  Computational  Lemmas 

Before  presenting  my  main  results  in  Section  4, 1  first  require  some  lemmas  about  the  computational 
behavior  of  the  fixpoint  operator.  The  central  result  is  that  fix(f)  is  the  least  upper  bound  of  the 
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t  e  T 

iff  £  =  t  G  T 

T  type 

iff  T  =  T 

Eh 

II 

Eh 

iff  3 T[,T'.  (Ti  4  T')  A  (T2  4J.  T')  A  (T'  =  T') 

t\  —  t<i  tzT 

iff  3t[,t'2,  V.  (fr  ^  £')  A  (t2  ^  £')  A  (T  44  T')  A  (t[  =  £'  G  T') 

n  =  nf  G  N  (ft,  n*  natural  numbers)  iff  n  =  v! 

inj1(a)  =  inj1(af)  G  A  +  B 

iff  A  +  B  type  A  a  —  a'  £  A 

inj2(b)  =  inj2(bf)  G  A  +  B 

iff  A  +  B  type  A  b  =  bf  G  B 

(a,b)  =  (a',b')  eYx:A.B 

iff  Tix:A.B  type  A  (a  =  a'  G  A)  A  (b  =  b'  G  B[a/x]) 

A x.b  =  A x.b'  €  II x:A.B 

iff  Ila;:A.B  £j/pe  A  Va  =  a'  G  A.  6[a/x]  =  6'[a'/a:]  €  B[a/x] 

t  =  t'  G  T 

iff  T  £i/pe  A  (t\.  <3-  f'4-)  A  (£j-  £  =  £'  G  T) 

*  G  (a  =  a' m  A) 

iff  (a  =  a'  in  A)  type  A  (a  =  a'  G  A) 

*  €  (a  in!  A) 

iff  (a  in!  A)  £j/joe  A  <4 

For  T  ~  T'  iff  T  =  T',  and  for  T 

~  T'  iff  T  =  T'  G  Uf: 

N  ~  N 

A  +  B  ~  A'  +  £' 

iff  A  ~  A'  A  B  ~  £' 

Yx:A.B  ~  Yx:A'.B' 

iff  A  ~  A'  A  Va  =  a'  G  A.  B[o/a;]  ~  B'[a! /x] 

Yix-.A.B  ~  ILejA'.B' 

iff  A  ~  A'  A  Va  =  a'  G  A.  B[a/a;]  ~  B'fa'/a;] 

T  ~  T7 

iff  T  ~  T'  A  V£  G  T.  4 

(ai  =  a2  A)  ~ 

(a'x  =  m  A') 

iff  A  Cr!  A'  A  —  CL ^  G  A  A  G&2  —  ^2  G  A 

(a  in!  A)  ~  (a' in!  A') 

iff  A  ~  A'  A  a  =  a'  G  A 

Uj  type 

U;  €  U,- 

iff  i  <  j 

Figure  3:  Type  Definitions 

finite  approximations  _L,  /(J_),  /(/(J_)), . . .  with  regard  to  a  computational  approximation  relation 
defined  below.  The  compactness  of  fix  (if  fix(f)  halts  then  one  of  its  finite  approximations  halts) 
will  be  a  simple  corollary  of  this  result.  However,  the  proof  of  the  least  upper  bound  theorem  is 
considerably  more  elegant  than  most  proofs  of  compactness. 

3.1  Computational  Approximation 

For  convenience,  throughout  this  section  we  will  frequently  consider  terms  using  a  unified  repre¬ 
sentation  scheme  for  terms:  A  term  is  either  a  variable  or  a  compound  term  9{x\i  •  •  • x\ ^  .ij, . . . , 
xn\  •  *  •Xnkn'tn)  where  the  variables  xny . . . ,  are  bound  in  the  subterm  t{.  For  example,  the  term 
na::Ti.T2  is  represented  U(Ti,x.T2)  and  the  term  (£1,^2)  is  represented  0 (^i , ^2) - 

Informally  speaking,  a  term  t\  approximates  the  term  £2  when:  if  t\  converges  to  a  canonical  form 
then  £2  converges  to  a  canonical  form  with  the  same  outermost  operator,  and  the  subterms  of 
ti’s  canonical  form  approximate  the  corresponding  subterms  of  £2’ s  canonical  form.  The  formal 
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definition  appears  below  and  is  due  to  Howe  [15]. 4  Following  Howe,  when  R  is  a  binary  relation 
on  closed  terms,  I  adopt  the  convention  extending  R  to  possibly  open  terms  that  if  t  and  t'  are 
possibly  open  then  t  R  t'  if  and  only  if  a(t)  R  a(t')  for  every  substitution  a  such  that  a(t)  and  cr(t') 
are  closed. 


Definition  3  (Computational  Approximation) 

•  Let  R  be  a  binary  relation  on  closed  terms  and  suppose  e  and  e'  are  closed.  Then  eC{R)  e' 

exactly  when  if  e  (1  9(x\.t\, . . .  ,xn.tn )  then  there  exists  some  closed  e"  =  , . . .  ,xn.t'n ) 

such  that  e'  e"  and  U  Rt 

•  e  <o  e'  whenever  e  and  e'  are  closed. 

•  e  <;+ i  e'  if  and  only  if  e  C(<i)  e' 

•  e  <  e'  if  and  only  if  e  <,  e'  for  every  i 

The  following  are  facts  about  computational  approximation  that  will  be  used  without  explicit 
reference.  The  first  two  follow  immediately  from  the  definition,  the  third  is  easy  using  determinism 
(Proposition  1)  and  the  last  is  proven  using  Howe’s  method  [15]. 

Proposition  4 

•  <  and  <,  are  reflexive  and  transitive. 

•  If  1 1-4  t'  then  t'  <  t  and  t'  <,•  t. 

•  If  t  t'  then  t  <  t'  and  t  <;  t' . 

•  (Congruence)  If  e  <  e'  and  t  <  t'  then  e[t/x ]  <  e'[t'/x\. 


3.2  Finite  Approximations 

With  this  notion  of  computational  approximation  in  hand,  we  may  now  show  that  the  terms 
-L)  /-L,  /(/  Jl),  . . .  form  a  chain  of  approximations  to  the  term  fix(f).  Let  1  be  the  divergent  term 
fix(Xx.x).  Since  J_  never  converges,  1  <  t  for  any  term  t.  Let  f  be  defined  as  follows: 

fi+1  /(/i) 

Certainly  f°  <  f,  since  /°  =  _L.  By  congruence,  /(/°)  <  /(/4),  and  thus  f1  <  /2.  Similarly, 
P  <  P+1  for  all  i.  Thus  /°,  /x,  /2? . . .  forms  a  chain;  I  now  wish  to  show  that  fix(f)  is  an  upper 
bound  of  the  chain.  Certainly  f°  <  fix(f).  Suppose  f  <  fix(f).  By  congruence  /(f  )  <  f(fix(f)). 

Howe  s  definition  actually  differs  slightly  from  the  one  here;  he  defines  <  as  the  greatest  fixed  point  of  the 
operator  C .  It  is  not  difficult  to  show  that  the  two  definitions  are  equivalent,  as  long  as  the  computation  system  is 
deterministic  (Proposition  1).  If  the  computation  system  is  nondeterministic,  the  definition  here  fails  to  be  a  fixed 
point,  and  the  more  complicated  greatest  fixed  point  definition  must  be  employed. 
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Thus,  since  fix(f)  i->-  f(fix(f)),  it  follows  that  /*+1  =  f(fz)  <  f{fix(f))  <  fix(f).  By  induction  it 
follows  that  fix(f)  is  an  upper  bound  of  the  chain.  The  following  corollary  follows  from  congruence 
and  the  definition  of  approximation: 


Corollary  5  If  there  exists  j  such  that  e[fi /x]l  then  e\fix(f)/x]l.  Moreover,  the  canonical  forms 
of  e[f3/x]  and  e{fix(f)/x]  must  have  the  same  outermost  operator. 


3,3  Least  Upper  Bound  Theorem 

In  this  section  I  summarize  the  proof  of  the  least  upper  bound  theorem.  The  full  proof  appears 
in  Appendix  A.  To  begin,  we  need  a  lemma  stating  a  general  property  of  evaluation.  Lemma  6 
captures  the  intuition  that  closed,  noncanonical  terms  that  lie  within  a  term  being  evaluated  are 
not  destructed;  they  either  are  moved  around  unchanged  (the  lemma’s  first  case)  or  are  evaluated  in 
place  with  the  surrounding  term  left  unchanged  (the  lemma’s  second  case).  The  variable  x  indicates 
positions  where  the  term  of  interest  is  found  and,  in  the  second  case,  the  variable  y  indicates  which 
of  those  positions,  if  any,  is  about  to  be  evaluated. 

Lemma  6  If  e\ [t/x\  h*  e2,  and  e\ [t/x\  is  closed,  and  t  is  closed  and  noncanonical,  then  either 

•  there  exists  e2  such  that  for  any  closed  t' ,  e\ [t'/x]  e2[t'/x],  or 

•  there  exist  e[  and  tf  such  that  e\  =  e'^x/y],  t  \-+  tf  and  for  any  closed  e[[t",t/x,y]  i-> 
ei  [t",t'/x,y\. 

It  is  worthwhile  to  note  that  Propositions  1  and  4  and  Lemma  6  are  the  only  properties  of  eval¬ 
uation  used  in  the  proof  of  the  least  upper  bound  theorem,  and  that  these  properties  are  true  in 
computational  systems  with  considerable  generality.  Consequently,  the  theorem  may  be  used  in  a 
variety  of  applications  beyond  the  computational  system  of  this  paper. 

Lemma  7  shows  that  fix  terms  may  be  effectively  simulated  in  any  particular  computation  by 
sufficiently  large  finite  approximations.  The  lemma  is  simplified  by  using  computational  approx¬ 
imation  instead  of  evaluation  for  the  simulation,  which  makes  it  unnecessary  to  track  which  of 
the  approximations  are  unfolded  and  which  are  not,  an  issue  that  often  complicates  compactness 
proofs. 

Lemma  7  (Simulation)  For  all  /,  e\  and  e2  (where  /  is  closed  and  x  is  the  only  free  variable  of 
ei),  there  exist  j  and  ef2  such  that  if  e\ [fix(f)/x]  »->■*  e2  then  e2  —  e2[fix{f)/x\  and  for  all  k  >  j, 
e'2[fk~j/x]  <  e.if/x]. 

Theorem  8  (Least  Upper  Bound)  For  all  /,  t  and  e  (where  /  is  closed),  if  Mj.  e[fJ /x\  <  t,  then 

el /*«(/)/*]  <  t. 
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Proof  Sketch 


By  induction  on  l  that  e\fix(f)/x]  <i  t.  (The  complete  proof  in  Appendix  A  addresses  free 
variables.)  Suppose  e\fix(f)/x]  evaluates  to  some  canonical  form  e'\fix(f)/x]  (where  e'  is  chosen 
by  Lemma  7).  Let  e'  be  of  the  form  0(x\ .t\, . . . ,  xn.tn).  Using  Lemma  7,  the  assumption 
VAr.  e[fk/x]  <  t,  and  transitivity,  we  may  show  that  e'[f3  /x]  <  t  for  all  j.  Therefore  t  (1 
0(xi-t'i,---,Xn-t'n)  and  U[p/x]  <  t\  for  all  j.  Now,  by  induction,  U\fix (/)/*]  </  t\.  Thus 

e\fix{f)/x]  </+i  t. 

There  are  two  easy  corollaries  to  the  least  upper  bound  theorem.  One  is  that  fix(f)  is  the  least 
fixed  point  of  /,  and  the  other  is  compactness. 


Corollary  9  (Least  Fixed  Point)  For  all  closed  /  and  t,  if  /(£)  <  t  then  fix(f)  <  t. 

Proof 

Certainly  f°  =  _L  <  t.  Then  f1  =  f(f°)  <  f(t)  <  t.  Similarly,  by  induction,  p  <  t  for  any  j. 
Therefore  fix(f)  <t  by  Theorem  8.  □ 


Corollary  10  (Compactness)  If  /  is  closed  and  e\fix(f)/x] l  then  there  exists  some  j  such  that 
e[fj/x]l.  Moreover,  the  canonical  forms  of  e[fix(f)/x]  and  e[f} /x]  must  have  the  same  outermost 
operator. 

Proof 

Suppose  there  does  not  exist  j  such  that  e[P /x]\..  Then  e[P /x\  <  J.  for  all  j.  By  Theorem  8, 
eL fix(f)/x]  <  -L-  Therefore  e\fix(f)/x]  does  not  converge,  but  this  contradicts  the  assumption,5 
so  there  must  exist  j  such  that  e[f3/x]l.  Since  e[fj/x]  <  e[fix(f)/x],  the  canonical  forms  of 
e[/J/x]  and  e\fix(f)/x]  must  have  the  same  outermost  operator.  □ 


4  Admissibility 

I  am  now  ready  to  begin  specifying  some  wide  classes  of  types  for  which  the  fixpoint  principle 
is  valid.  First  we  define  admissibility.  The  simple  property  of  validating  the  fixpoint  principle 
is  too  specific  to  allow  any  good  closure  conditions  to  be  shown  easily,  so  we  generalize  a  bit  to 
define  admissibility.  A  type  is  admissible  if  the  upper  bound  t\fix(f)]  of  an  approximation  chain 
f[/°]i  *[/2L  •  •  •  belongs  to  the  type  whenever  a  cofinite  subset  of  the  chain  belongs  to  the  type. 

This  is  formalized  as  Definition  12,  but  first  I  define  some  convenient  notation. 


Notation  11  For  any  natural  number  j,  the  notation  t^>  means  t[fj/w],  and  the  notation  fH/ 
means  t[fix(f)/w].  Also,  the  /  subscript  is  dropped  when  the  intended  term  /  is  unambiguously 
clear. 

5Although  this  proof  is  non-constructive,  a  slightly  less  elegant  constructive  proof  is  derivable  directly  from  Lemma 
7. 
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Definition  12  A  type  T  is  admissible  (abbreviated  Adm(T))  if: 

V/,  t,  t'.  (3 j.  Mk  >  j.  =  #]  €T)^>  tM  =  t'M  €  T 

As  expected,  admissibility  is  sufficient  to  guarantee  applicability  of  the  fixpoint  principle: 

Theorem  13  For  any  T  and  /,  if  T  is  admissible  and  /  =  /'  £  T  ->  T  then  fix(f)  =  ^(/')  €  T. 

Proof 

T  type  since  T->T  fype.  Note  that  p  =  /°  €  T  for  every  j.  Suppose  fix(f)l.  By  compactness, 
PI  for  some  j.  Since  P  =  //j?  G  T,  it  follows  that  //J^  and  thus  fix(f), [  by  Corollary  5. 
Similarly  fix(f)l  implies  fix(f)X>  It  remains  to  show  that  fix(f)  =  fix(f)  G  T  when  /z£(/)^. 
Suppose  again  that  ^(/)|.  As  before,  there  exists  j  such  that  PI  by  compactness.  Hence 
P  =  //J  G  T.  Since  T  is  admissible,  fix(f)  =  fix(f)  GT,  □ 

A  number  of  closure  conditions  exist  on  admissible  types  and  are  given  in  Lemma  14.  Informally, 
basic  compound  types  other  than  dependent  products  are  admissible  so  long  as  their  component 
types  in  positive  positions  are  admissible.  Base  types — natural  numbers,  convergence  types,  and 
(for  this  lemma  only)  equality  types — are  always  admissible.  These  are  essentially  the  admissible 
types  of  Smith  [24],  except  that  for  a  function  type  to  be  admissible  Smith  required  that  its  domain 
type  be  admissible. 

Lemma  14 

•  Adm  (A  +  B)  if  Adm  (A)  and  Adm(H) 

•  Adm(n x:A.B)  if  Va  G  A.Adm(B[a/x]) 

•  Adm  (A  x  B )  if  Adm  (A)  and  Adm  (13) 

•  Adm(N) 

•  Adm  (a  =  a'  in  A) 

•  Adm(A)  if  Adm(A) 

•  Adm  (a  in!  A) 

Proof 

The  proof  follows  the  same  lines  as  Smith’s  proof,  except  that  handling  equality  adds  a  small 
amount  of  complication  to  the  proof.  I  show  the  function  case  by  way  of  example. 

Let  /,  t  and  tf  be  arbitrary.  Suppose  j  is  such  that  Vfc  >  j.  =  tffl  G  na;:A.j3.  I  need  to  show 
that  =  t'M  G  n x:A.B.  Since  Ux:A.B  is  inhabited  it  is  a  type.  Both  and  t'b 1  converge 

to  lambda  abstractions,  so,  by  Corollary  5,  Jj-  A x.b  and  i'M  ^  A x.bf  for  some  terms  b  and 
bf.  Suppose  a  =  a'  G  A.  To  get  that  b[a/x]  =  bf[af/x]  G  fl[a/x]  it  suffices  to  show  that  t^a  = 
t'[u\a*  ^  Since  Adm(B[a/a?]),  it  suffices  to  show  that  \/k  >  j.t^a  =  G  -B[a/a], 

which  follows  from  the  supposition.  □ 
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Unfortunately,  Lemma  14  can  show  the  admissibility  of  a  product  space  only  if  it  is  non-dependent. 
Dependent  products  do  not  have  an  admissibility  condition  similar  to  that  of  dependent  functions. 
This  reason  for  this  is  as  follows:  Admissibility  states  that  a  single  fixed  type  contains  the  limit  of 
an  approximation  chain  if  it  contains  a  cofinite  subset  of  that  chain.  For  functions,  disjoint  union, 
partial  types,  and  non-dependent  products  it  is  possible  to  decompose  prospective  members  in  such 
a  way  that  admissibility  may  be  applied  to  a  single  type  (such  as  the  type  B[a/x ]  used  in  the  proof 
of  Lemma  14).  In  contrast,  for  a  dependent  product,  the  right-hand  term’s  desired  type  depends 
upon  the  left-hand  term,  which  is  changing  at  the  same  time  as  the  right-hand  term.  Consequently, 
there  is  no  single  type  into  which  to  place  the  right-hand  term. 

However,  understanding  the  problem  with  dependent  products  suggests  a  solution,  to  generalize 
the  definition  of  admissibility  to  allow  the  type  to  vary.  This  leads  to  the  notion  of  predicate- 
admissibility  that  I  discuss  in  the  next  section. 


4.1  Predicate- Admissibility 

Definition  15  A  type  T  is  predicate- admissible  for  x  in  S  (abbreviated  Adm(T  |  x  :  S))  if: 
V/,  t,  t',  c.  cM  €  5  a  (3 j.  Mk  >  j.  e[k]  £  S  A  t[k]  =  t'[k]  £  T[e[k] /*])  =*-  t[w]  =  t'M  £  T[e^ /x] 


The  term  “predicate-admissibility”  stems  from  its  similarity  to  the  notion  of  admissibility  of  pred¬ 
icates  in  domain  theory  (and  LCF).  If  one  ignores  the  inhabiting  terms  t  and  t\  which  may  be 
seen  as  evidences  of  the  truth  of  the  predicate  T[],  then  predicate-admissibility  is  saying  T[e^\  if 
T[eW]  for  all  k  greater  than  some  j.  This  is  precisely  the  notion  of  admissibility  of  predicates  in  do¬ 
main  theory.  Indeed,  the  results  here  were  influenced  by  the  work  of  Igarashi  [16],  who  established 
conditions  on  admissibility  of  domain-theoretic  predicates. 

To  show  the  admissibility  of  a  dependent  product  type,  it  is  sufficient  to  show  predicate-admissibility 
of  the  right-hand  side  (along  with  admissibility  of  the  left): 


Lemma  16  The  type  E x:A.B  is  admissible  if  Adm(A)  and  Adm(H  |  x  :  A). 

Proof 

Let  /,  t  and  t'  be  arbitrary.  Suppose  j  is  such  that  Vfc  >  j.  e  E x:A.B.  It  is  necessary 

to  show  that  fM  -  t'M  <=  E x:A.B.  Since  E x:A.B  is  inhabited  it  is  a  type.  Both  *I>1  and  i'lff 
converge  to  pairs,  so,  by  Corollary  5,  JJ-  (a,  b)  and  f'M  J)  (a1,  b')  for  some  terms  a,  b,  a'  and 
b'.  To  get  that  a  =  a'  £  A  it  suffices  to  show  that  TTi(t M)  =  ^(f'M)  £  A.  Since  Adm(A),  it 
suffices  to  show  that  \/k  >  j.  7Ti(fW)  =  7r1(f/W)  £  A,  which  follows  from  the  supposition. 

To  get  that  b  =  b1  €  B\a/x\  (the  interesting  part),  it  suffices  to  show  that  it 2 (t^)  =  7r2(f'H)  € 
B[TCx{tW) / x].  Since  Adm(B  |  x  :  A),  it  suffices  to  show  that  7Ti(fH)  e  A,  which  has  already 
been  shown,  and  Vfc  >  j.  ^(#1)  £  A  A  ir2{t[k])  =  n2{t'[k])  €  B[k1  (t^)/x],  which  follows  from 
the  supposition.  □ 

The  conditions  for  predicate-admissibility  are  more  elaborate,  but  also  more  general.  I  may  immedi¬ 
ately  state  conditions  for  basic  types  other  than  functions.  Informally,  basic  compound  types  other 
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than  functions  are  predicate-admissible  so  long  as  their  component  types  are  predicate-admissible, 
and  base  types  are  always  predicate-admissible.  (The  proof  for  these  conditions,  and  all  other 
remaining  proofs,  appear  in  Appendix  A.) 


Lemma  17 

•  Adm(A  +  B  |  y  :  S)  if  Vs  €  S.  (A  +  B)[s/y]  type  and  Adm(A  |  y  :  S)  and  Adm(5  |  y  :  S). 

•  Adm(Ea;:A.S  |  y  :  S)  if  Vs  €  S.  (E x:A.B)[s/y]  type  and  Ey:5.A  type  and  Adm(A  |  y  :  S)  and 

Adm(5[^i  (z),  n2(z)/y ,  x]\z:  (Ey.S.A)) 

•  Adm(N  |  y  :  S) 

•  Adm(«i  =  a2  in  A\y  :  S)  if  Vs  €  S.  (di  =  a2  in  A)[s/y ]  type  and  Adm(A  |  y  :  S) 

•  Adm(A  |  y  :  S)  if  Vs  £  S.  A[s/y ]  type  and  Adm(A  |  y  :  S) 

•  Adm(a  ini  A  \  y  :  S)  if  Vs  6  S.  (a  ini  A)[s/y ]  type 


Predicate-admissibility  of  a  function  type  is  more  complicated  because  a  function  argument  with 
the  type  A[e^/x]  does  not  necessarily  belong  to  any  of  the  finite  approximations  A[e^/x].  To 
settle  this,  it  is  necessary  to  require  a  coadmissibility  condition  on  the  domain  type.  Then  a 
function  type  will  be  predicate-admissible  if  the  domain  is  weakly  coadmissible  and  the  codomain 
is  predicate-admissible. 


Definition  18  A  type  T  is  weakly  coadmissible  for  x  in  S  (abbreviated  WCoAdm(T  |  x  :  S ))  if: 

V/,  t,  t',  e.  cM  €  S  A  (3  j.  Vk  >  j.  €  S)  A  t  =  t'  €  T[eM /*]  ^ 

(3j.  VA;  >  j.t  =  t'  €  T[eW/x]) 

A  type  T  is  coadmissible  for  x  in  S  (abbreviated  CoAdm(T  |  x  :  S))  if: 

V/,  t,  t',  e.  eH  €  S  A  (3 j.  VA:  >  j.  eW  e  S)  A  fH  =  f'H  €  T[e M/x]  => 

(3j.Vk  >  j.tW  =  f'M  g  T[eW/x]) 


Lemma  19  Adm(na::A.B  |  y  :  S)  if  Vs  €  S.  (E x:A.B)[s/y]  type  and  WCoAdm(A  |  y  :  S)  and 
Vs  E  5,  a  £  A[s/y\.  Adm(B[a/x]  |  y  :  5) 


Clearly  coadmissibility  implies  weak  coadmissibility.  A  general  set  of  conditions  listed  in  Lemma 
20  establish  weak  and  full  coadmissibility  for  various  types.  Weak  and  full  coadmissibility  are 
closed  under  disjoint  union  and  dependent  sum  formation,  and  full  coadmissibility  is  additionally 
closed  under  equality- type  formation.  I  use  both  notions  of  coadmissibility,  rather  than  just  adopt¬ 
ing  one  or  the  other,  because  full  coadmissibility  is  needed  for  equality  types  but  under  certain 
circumstances  weak  coadmissibility  is  easier  to  show  (Proposition  21  below). 
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Lemma  20 


•  A  +  B  is  (weakly)  coadmissible  for  y  in  S  if  Vs  €  S.  ( A  +  B)[s/y]  type  and  A  and  B  are 
(weakly)  coadmissible  for  y  in  S 

•  WCoAdm(Ex:A..B  |  y  :  S)  if  Vs  €  S.  (E x:A.B)[s/y]  type  and  WCoAdm(A  |  y  :  S)  and  Vs  e 
S,  a  e  A[s/?/].  WCoAdm(.B[a/x]  |  y  :  S) 

•  CoAdm(Ex:A.B  |  y  :  S)  if  Vs  €  S.  (E x\A.B)[s/y]  type  and  E y.S.A  type  and  CoAdm(A  |  y  :  S) 
and  Cokdm{B['Ki{z)^2{z)/y)x]  \  z  :  (Ey:5.A)) 

•  N  is  strongly  or  weakly  coadmissible  for  y  in  any  S 

•  CoAdm(oi  =  02  in  A\y  :  S)  if  Vs  €  S.  (ai  =  a2  in  A)[s/y\  type  and  CoAdm(A  |  y  :  S) 

•  A  is  (weakly)  coadmissible  for  y  in  5  if  Vs  £  S.  A[s/y]  type  and  A  is  (weakly)  coadmissible 
for  y  is  S 

•  a  in!  A  is  strongly  or  weakly  coadmissible  for  y  in  S  if  Vs  €  S.  ( a  in!  A)[s/y]  type 


When  T  does  not  depend  upon  S,  predicate-admissibility  and  weak  coadmissibility  become  easier 
to  show: 


Proposition  21  Suppose  x  does  not  appear  free  in  T.  Then: 

•  Adm(T)  if  Adm(T  |  x  :  S)  and  S  is  inhabited 

•  Adm(T  |  x  :  5)  if  Adm(T) 

•  WCoAdm(T  \x:S) 


There  remains  one  more  result  related  to  predicate-admissibility.  Suppose  one  wishes  to  show 
Adm(T|x  :  S )  where  T  depends  upon  x.  There  are  two  ways  that  x  may  be  used  in  T.  First,  T  might 
contain  an  equality  type  where  x  appears  in  one  or  both  of  the  equands.  In  that  case,  predicate- 
admissibility  can  be  shown  with  the  tools  discussed  above.  Second,  T  may  be  an  expression  that 
computes  a  type  from  x.  In  this  case,  T  can  be  simplified  using  untyped  reasoning  [15],  but  another 
tool  will  be  needed  if  T  performs  any  case  analysis. 


Lemma  22  Consider  a  type  case(d,x.A,x.B )  that  depends  upon  y  from  S.  Suppose  there  exist 
T\  and  T2  such  that: 

.  Vs  G  S.  d[s/y]  e  {Ti  +  T2)[s/y] 

•  Vs  €  S,te  Ti[s/y].  A[s,  t/y,  x]  type 

•  Vs  €  S,t  €  T2[s/y].B[s,t/y,x]  type 

•  Ey:S.Ti  type  and  E y:S.T2  type 
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Then  the  following  are  the  case: 


•  Adm (case(d,x.A,x.B)  \  y  :  5)  if  Adm(A[7r1(^),  7r2(2)/y,  a:]  |  2  :  (E y.S.Ti))  and  Adm(.B[7ri(z), 
■K2{z)/y,x]\z  \  (E y:S.T2)) 

•  WCoAdm (case(d,x.A,x.B)  \  y  :  S)  if  WCoAdm(A[7ri(z),  7r2(z)/y,  x]  \  z  :  (Ey:5.Ti))  and 
WCoAdm(B[7r1(^),7r2(z)/y,  a:]  |  z  :  (E y:S.T2)) 

•  CoAdm (case(d,x.A,x.B)  \  y  :  S)  if  CoAdm(A[7Ti(z),  7r2(z)/y,  x]  \  z  :  (Ey:5.Ti))  and 
CoAdm(S[7Ti(z),  7 r2(z)/y,  x]\  z  :  (E y:S.T2)) 


4.2  Monotonicity 

In  some  cases  a  very  simple  device  may  be  used  to  show  admissibility.  We  say  that  a  type  is 
monotone  if  it  respects  computational  approximation,  and  it  is  easy  to  show  that  all  monotone 
types  are  admissible. 


Definition  23  A  type  T  is  monotone  (abbreviated  Mono(i))  if  t  —  t'  G  T  whenever  t  G  T  and 
t<t'. 


Lemma  24  All  monotone  types  are  admissible. 

Proof 

Let  /,  t  and  t'  be  arbitrary  and  suppose  there  exists  j  such  that  $  1  =  t'^  G  T.  Since  fW  < 
and  f'M  <  f'M,  it  follows  that  e  T  and  i'M  =  t'M  €  T.  The  result  follows  directly.  □ 

All  type  constructors  are  monotone  except  universes  and  partial  types,  which  are  never  monotone. 
The  proof  of  this  fact  is  easy  [15]. 


Proposition  25 

•  Mono(A  +  B)  if  Mono(A)  and  Mono(5) 

•  Mono(n^:A.B)  if  Mono(A)  and  Va  £  A.  Mono(B[a/x]) 

•  Mono(Sx:A.J3)  if  Mono(A)  and  Va  £  A.  Mono(B[a/x]) 

•  Mono(N),  Mono(ai  =  a2  £  A)  and  Mono(a  in!  A) 


4.3  Set  and  Quotient  Types 

In  addition  to  the  type  constructors  discussed  so  far,  the  Nuprl  type  theory  also  contains  two  fairly 
novel  types,  Constable’s  set  and  quotient  types  [6].  These  types  allow  the  use  of  logical  predicates 
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a  =  a'  €  {x  :  A\B}  iff  {x  :  A  \  B}  type  A  a  =  a'  £  A  A  36.  6  £  B[a/x] 

a  =  a'  €  xy:A//B  iff  ( xy:A//B )  type  A  a  £  A  A  a'  £  A  A3b.b  £  B[a,  a'/x ,  y] 

For  T  ~  r  iff  T  =  T',  and  for  T  ~  T'  iff  T  =  T  £  U,-: 

{x  :  A  |  B}  ~  {x  :  A'  |  B'}  iff  A  ~  A'  A  Va  =  a'  €  A.  B[a/x]  ~  B[a'/x]  A 

Va  =  a'  €  A.  B'[a/x]  ~  B'[a'/*]  A 
(B  if  and  only  if  B') 

3 1. 1  £  IIx:A.  B  — »  B'  A  3t.  t  £  IIx:A.  B'  — »  B 
(xy:A//B)  ~  {xy:A'//B')  iff  A  ~  A'  A 

Vai  =  G  A.  V«2  =  a'2  £  A.  B[ai,  a2/x,  S/]  —  B[aj,  a'2/x,  y]  A 
Vai  =  a[  £  A.  Va2  =  02  €  A.  B'[ai,  c^/x,  y]  ~  B'fa^,  2/]  A 
(B  if  and  only  if  B') 

3f.  t  £  IIx:A.  IIy:A.  B  -)•  B'  A  3f.  t  £  IIx:A.  Ily:A.  B’  B  A 
(reflexivity) 

3t.t  £  IIx:A.  B[x/y]  A 
(symmetry) 

3t.  t  £  IIx:A.  Ily:A.  B  — >■  B[y,  x/x,  y]  A 
(transitivity) 

3t.  t  £  Ilx:A.  IIy:A.  II^:A.  B  — »  B[y,  2/x,  y]  — )■  B[z/y] 


Figure  4:  Set  and  Quotient  Type  Definitions 


(encoded  as  types  using  the  propositions- as- ty p es  principle  [14])  to  refine  or  coarsen  types  in  various 
ways. 

The  set  type  {x:T  \  P}  is  the  subtype  of  T  that  contains  all  t  £  T  such  that  P[t/x]  is  inhabited 
(i.e.,  such  that  the  proposition  corresponding  to  P[t/x ]  is  true).  The  quotient  type  xy:T//E[x,y] 
(when  E[~,  -]  corresponds  to  an  equivalence  relation  on  T )  is  the  supertype  of  T  that  coarsens  the 
equality  on  T  as  follows:  tx  =  t2  £  xy:T//E  if  and  only  if  tut2  £  T  and  E[tut2/x,y]  is  inhabited 
(i.e.,  true).  The  set  and  quotient  types  are  defined  formally  in  Figure  4. 

The  set  type  {x:A  |  B[x]}  is  much  like  the  dependent  product  type  Ex:A.B[x]  in  that  both  provide 
a  member  a  of  A  such  that  B[a]  is  inhabited,  but  differ  in  that  the  dependent  product  provides 
that  inhabitant  and  the  set  type  suppresses  it.  Given  this  parallel  between  the  dependent  product 
and  set  types,  it  is  natural  to  expect  that  set  types  would  have  a  similar  admissibility  rule:  that 
{x  :  A  |  B}  if  A  is  admissible  and  B  is  predicate-admissible  for  x  in  A.  Somewhat  surprisingly, 
this  turns  out  not  to  be  the  ^ase.  Suppose  that  t^  £  {x  :  A  |  B}  for  all  k  >  j .  Then  for  every 
k  >  j ,  there  exists  some  term  bk  £  B[#tyx].  We  would  like  it  to  follow  by  predicate-admissibility 
that  there  exists  bw  £  B[t^/x],  but  it  does  not.  The  problem  is  that  each  bk  can  be  a  completely 
different  term,  and  predicate-admissibility  applies  only  when  each  bk  is  of  the  form  b[fk/w]  for  a 
single  fixed  b. 

Intuitively,  the  desired  rule  fails  because  the  set  type  {x  :  A  |  B}  suppresses  the  computational 
content  of  B  and  therefore  B  can  be  inhabited  non-uniformly,  by  unrelated  terms  for  related 
members  of  A.  In  contrast,  if  the  chain  t^,t^+1\t^+2\ . . .  belongs  to  Ex:A.B,  then  the  chain 
ir2(t)ti\ir2(t)ti+1],n2(t)ti+2]) . . .  uniformly  inhabits  B. 
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For  a  concrete  example,  consider: 


T  =  {g:  N  -4  N  |  3n:N.  (gn  in'.  N)  -4  Void} 

f  =f  A h.  Ax.  if  x  =  0  then  0  else  h(x  —  1) 

,  def  > 

t  =  Ay.  wy 


The  type  T  is  not  admissible:  For  all  k,  (t^f)k  diverges,  so  t^f  £  T;  but  t^f  converges  for  all 
arguments,  so  t^f  $  T.  However,  3n:N.  (gn  in'.  N)  — >  Void  is  predicate-admissible  for  g  in  N  -4  N. 
The  problem  is  that  the  inhabiting  integers  are  not  related  by  computational  approximation;  that 
is,  they  are  not  uniform. 

To  show  a  set  type  admissible,  we  need  to  be  able  to  show  that  the  selection  predicate  can  be 
inhabited  uniformly: 


Lemma  26  The  type  {x  :  A  |  B}  is  admissible  if: 

•  Adm(A),  and 

•  Adm(B  |  x  :  A),  and 

•  there  exists  b  such  that  b[a/x ]  €  B[a/x]  whenever  a  £  A  and  3 b'.b'  £  B[a/x]. 


We  may  give  a  similar  predicate-admissibility  condition: 


Lemma  27  Adm({x  :  A  |  B)  |  y  :  S)  if  Vs  £  S.  ({x  :  A  |  B})[s/y]  type  and  E y.S.A  type  and 
Adm(A|y  :  S)  and  Adra.(B{TTi(z),n2(z)/y,x]\z  :  E y.S.A),  and  there  exists  b  such  that  6[a, s/x,y]  £ 
B[a ,  s/x,  y]  whenever  s  £  S  and  a  £  A[s/y ]  and  3b'.  b'  £  B[a,  s/x ,  y] 


Coadmissibility  and  monotonicity  work  on  single  terms,  not  chains,  so  the  uniformity  issue  does 
not  arise,  resulting  in  conditions  fairly  similar  to  those  for  dependent  products: 


Lemma  28 

•  WCoAdm({x  :  A  |  B}  \  y  :  S)  if  Vs  £  S.  {x  :  A  \  B}[s/y]  type  and  WCoAdm(A  |  y  :  S)  and 
Vs  £  S,a  £  A[s/y\.  WCoAdm(jB[a/x]  |  y  :  S) 

•  CoAdm({x  :  A\B}\y  :  S)  if  Vs  £  S.  {x  :  A|J5}[s/y]  type  and  E  y.S.Atype  and  CoAdm(A|y  :  S ) 
and  WCoAdm(B[7Ti(^),  7T2(2)/y,  x]  |  z  :  (Ey:5.A)) 

•  Mono({x  :  A  |  B })  if  Mono(A) 


The  conditions  for  quotient  types  are  similar  to  those  for  set  types: 
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Lemma  29 


•  Adm(xy:A/ '/ B)  if  Adm(A)  and  Adm(5[7Ti(z),  tt2(z)/x,  t/]  |  z  :  A  X  A),  and  there  exists  b  such 
that  b[a ,  a'/x,  y]  £  B[a,  a'/x,  y]  whenever  a  £  A  and  a'  £  A  and  3bf.  b'  £  B[a,  o'/a;,  y\. 

•  Adm(xy:A//B\z  :  S )  if  Vs  £  S.(xy:A//B)[s/z ]  type  and  T,z:S.(Ax  A)  type  and  Adm(A|2  :  5) 
and  Ad-m.{B[iT\{z'),-K\{TT2{z')),Tt2{'^2{z'))/z1x,y]  \  z '  :  E z:S.(A  x  A)),  and  there  exists  b  such 
that  b[a,a',  s/x,  y,  z]  £  B[a,a',s/x,y,  z]  whenever  s  £  S  and  a  £  A[s/z]  and  o'  £  A[s/z]  and 
3b' .  b'  £  B[a ,  a',  s/x,  y,  z\. 

•  WCoAdm (xy:A//B  \  z  :  5)  if  Vs  £  S.(xy:A//B)[$/z\  type  and  WCoAdm(A  |  2  :  5)  and 
Vs  £  S,  a  £  A[s/z],a'  £  A[s/z}.  WCoAdm(B[a,  a'/x,  y]  |  2  :  S) 

•  CoAdm(a;y:A//5|2  :  5)  if  Vs  £  S.  ( xy:A//B)[s/z]type  and  E  z:S.(AxA)type  and  CoAdm(A|2  : 
S )  and  CoAdm(B[ni(z'),iTi(‘K2(z')),n2{/K2{z'))/z,x,y}  \  z' :  E2:5.(A  x  A)) 

•  Mono(a:y:A//B)  ifMono(A) 


4.4  Summary 

Figure  5  provides  a  summary  of  the  basic  admissibility  results  of  this  chapter.  It  is  worthwhile 
to  note  that  all  these  results  are  proved  constructively,  with  the  exception  of  (weak  and  full) 
coadmissibility  of  partial  types.  The  following  theorem  shows  that  the  proofs  of  coadmissibility 
of  partial  types  are  necessarily  classical;  if  a  constructive  proof  existed  then  one  could  extract  an 
algorithm  meeting  the  theorem’s  specification,  which  can  be  used  to  solve  the  halting  problem. 

Theorem  30  There  does  not  exist  an  algorithm  that  computes  an  integer  j  such  that  VA’  >  j.t  — 
t'  £  T[e^/x],  when  given  S,  T,  f,  t,  t' ,  e  and  i  such  that: 

•  Vs  £  S.  T[s/x]  type 

•  CoAdm(T  \x:S) 

•  eM  €  5 

•  VA:  >  i.  £  S 

•  t  —  t'  £  T[eW/x\ 


Recall  the  inadmissible  type  T  from  Theorem  2.  That  type  fails  the  predicate-admissibility  con¬ 
dition  because  of  the  negative  appearance  of  a  function  type,  which  could  not  be  shown  weakly 
coadmissible,  and  it  fails  the  monotonicity  condition  because  it  contains  the  partial  type  N. 


5  Conclusions 


An  interesting  avenue  for  future  investigation  would  be  to  find  some  negative  results  characterizing 
inadmissible  types.  Such  negative  results  would  be  particularly  interesting  if  they  could  be  given 
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For  T  =  1 

A  +  B 

11  x\A.B 

E  x:A.B 

Adm(T)  if 

T  type  and 

Adm(A)  A  Adm(i?) 

Va  E  A.  Adm(B[a/x)) 

Adm(A)  A  Adm(5  |  x  :  A) 

Adm(T  |  y  :  S)  if 

Vs  G  S.T[s/y ]  type  and 

Adm(A  |  y  :  S)  A 
Adm(£  |  y  :  S) 

WCoAdm (A  |  y  :  S)  A 
Vs  E  5,  a  E  A[s/y]. 
Adm(5[a/a?]  |  y  :  S) 

Adm(A  |  y  :  S)  A 

Adm(5[7Ti  (z),  n2{z)/y,  x] 

\z  :  (£y  :  S.A))  A 

E  y.S.A  type 

WCoAdm(T  |  y  :  S)  if 

Vs  €  S.  T[s/ y]  type  and 

WCoAdm(A  |  y  :  S)  A 
WCoAdm(B  |  y  :  S) 

WCoAdm(A  |  y  :  S)  A 

Vs  E  S,  a  E  A[s/y]. 
WCoAdm(^[a/a?]  |  y  :  S) 

CoAdm(T  |  y  :  S)  if 

Vs  G  S.  T[s/y]  type  and 

CoAdm(A  |  y  :  S)  A 
CoAdm(5  |  y  :  S) 

^CoAdm(A  |  y  :  S)  A 
CoAdm(5[^-1(z),  ir2(z)/y,  a] 

1  z:{Zy:  S.A))  A 

E y:S.A  type 

Mono(T)  if 

Mono(A)  A  Mono(i?) 

Mono(A)  A 

Va  E  A.  Mono (i? [a/#]) 

Mono  (A)  A 

Va  E  A.  Mono(£[a/£]) 

— - - - - 

For  T  =  i 

N,  a  in\  A 

a\  =  a2  in  A 

A 

Adm(T)  if 

T  type  and 

yes 

yes 

Adm(A) 

Adm(T  |  y  :  S)  if 

Vs  G  S.T[s/y]  type  and 

yes 

Adm(A  |  y  :  S) 

Adm(A  |  y  :  S) 

WCoAdm(T  |  y  :  5)  if 

Vs  G  S.  T[s/y]  type  and 

yes 

CoAdm(A  |  y  :  S) 

WCoAdm(A  |  y:S) 

CoAdm(T  |  y  :  S)  if 

Vs  G  S.  T[s/j/]  type  and 

yes 

CoAdm(A  |y:5) 

CoAdm(A  |  y  :  S) 

Mono(T)  if  yes 

yes 

— 

Figure  5:  Admissibility,  coadmissibility  and  monotonicity  conditions 


a  syntactic  character,  like  the  results  of  this  chapter.  Along  these  lines,  it  would  be  interesting  to 
find  whether  the  inability  to  show  coadmissibility  of  function  types  represents  a  weakness  of  this 
proof  technique  or  an  inherent  limitation. 

The  results  presented  above  provide  metatheoretical  justification  for  the  fixpoint  principle  over  many 
types.  In  order  for  these  results  to  be  useful  in  theorem  proving,  they  must  be  introduced  into  the 
logic.  One  way  to  do  this,  and  the  way  it  is  done  in  my  implementation  of  partial  types  in  the 
Nuprl  proof  assistant  [11],  is  to  introduce  types  to  represent  the  assertions  Adm(T),  Adm(T  |  x  :  S ), 
etc.,  that  are  inhabited  exactly  when  the  underlying  assertion  is  true  (in  much  that  same  way  as 
the  equality  type  is  inhabited  exactly  when  the  equands  are  equal),  and  to  add  rules  relating  to 
these  types  that  correspond  to  the  lemmas  of  Section  4.  This  brings  the  tools  into  the  system  in 
a  semantically  justifiable  way,  but  it  is  unpleasant  in  that  it  leads  to  a  proliferation  of  new  types 
and  inference  rules  stemming  from  discoveries  outside  the  logic.  It  would  be  preferable  to  deal 
with  admissibility  within  the  logic.  A  theory  with  intensional  reasoning  principles,  such  as  the  one 
proposed  in  Constable  and  Crary  [7],  would  allow  reasoning  about  computation  internally.  Then 
these  results  could  be  proved  within  the  theory  and  the  only  extra  rule  that  would  be  required 
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would  be  a  single  rule  relating  admissibility  to  the  the  fixpoint  principle. 

However  they  are  placed  into  the  logic,  these  results  allow  for  recursive  computation  on  a  wide 
variety  of  types.  This  make  partial  types  and  fixpoint  induction  a  useful  tool  in  type-theoretic 
theorem  provers.  It  also  makes  it  possible  to  study  many  recursive  programs  that  used  to  be 
barred  from  the  logic  because  they  could  not  be  typed. 
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A  Proofs 


Theorem  2  There  exist  inadmissible  types. 

Proof 

This  example  is  due  to  Smith  [24],  Let  the  type  T  and  the  function  /  be  defined  as  follows: 

T  d=  Eft:( N-4  N).  {(Ux:N.hx  in'.  N)  -4  Void) 
f  =f  \p.(g,\y.*) 

g  d=  Xx.  if  x  =  0  then  0  else  iri(p)(x  —  1) 

It  is  easy  to  verify  that  T  type.  We  wish  to  show  that  /  has  type  T  — >  T.  Suppose  t  =  tr  £T. 
We  need  g[t/p]  =  g[t'/p]  £  N— f  N  and  Xy .*  €  (IIa::N.  (g[t/p])x  in'.  N)  -4  Void.  The  former  is 
easily  shown;  to  show  the  latter,  I  assume  that  (g[t/p])n  converges  for  every  natural  number  n 
and  draw  a  contradiction.  It  follows  that  IlauN.  (g[t/p])x  in'.  N  is  empty  and  Ay.*  is  vacuously 
a  function  from  any  empty  type  to  Void.  Suppose  (g[t/p])n  converges  for  every  natural  number 
n.  Then  the  term  if  n  =  0  then  0  else  (t)  (n  —  1)  also  converges  for  every  natural  number 
n.  It  follows  that  4>  since  tti  (i)  (0)4-,  and  hence  t  £  T.  Thus  (ILr:N.  7Ti(f)(a:)  in'.  N)  -4  Void 
is  inhabited  (by  ?r2(t))  and  consequently  it  cannot  be  the  case  that  tt\  (/.)  (w)h  for  every  natural 
number  n.  But  this  is  a  contradiction  since  Ki(t)(n  — 1)|  for  every  n  >  1.  Therefore  /  €  f  4T. 

However,  it  is  not  the  case  that  fix(f)  £  T.  Suppose  fix(f)  £  T.  Then  fix(f)  £  T  since  fix(f) 
converges  (in  two  steps).  Thus  7r2(fix(f))  £  (Hx:N.n1(fix(f))(x)  in'.  N)  ->•  Void ,  which  implies 
that  ni(fix(f))  is  not  total  on  N,  but  it  is  easy  to  show  by  induction  that  7Ti(fix(f))  is  in  fact 
total  (on  N).  Therefore  fix(f)  T  and  hence  T  is  not  admissible.  □ 

Lemma  6  If  ei[t/a:]  i-4  e2,  and  Ci [t/x]  is  closed,  and  t  is  closed  and  noncanonical,  then  either 

•  there  exists  e'2  such  that  for  any  closed  l' .  e\[t' /x]  h*  e'2\t' / x).  or 

•  there  exist  e\  and  t'  such  that  ei  =  e[[x/y].  t  1-4  t'  and  for  any  closed  t",  e[[t",  t/x,  y]  1-4 
e[[t",t'/x,y]. 

Proof 


Suppose  e\  =  x.  Then  t  =  ex [t/x]  h4  e2.  Let  e[  =  y  and  t'  =  e2.  Then  e[ [t",t/x,  y]  =  t^t'  = 
e[[t",  t'/x, y].  The  remaining  cases  are  by  induction  on  the  derivation  of  ex [t/x]  1-4  e2.  I  show 
the  lambda  rules;  the  other  cases  are  similar. 

Suppose  the  rule  used  is: 

(A z.b)a  >->■  h[a/z] 

The  term  ex\t/x]  must  have  the  form  of  a  lambda  abstraction  applied  to  an  argument.  Thus  ex 
must  be  of  the  form  ( Xz.b)a ,  since  ex  =  x  is  already  handled  and  ex  =  x  a  is  impossible  because 
t  is  noncanonical.  Let  e'2  =  b[a/ z]  and  suppose  t'  is  closed.  Then: 

ex[t'/x]  =  (A  z.b[t' /x]){a\t' /x]) 
h4  b[t' /x](a\t' /x}/ z) 

=  b[a/z][t'/x]  (since  t'  is  closed) 

=  e'Jt'/a:] 
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Suppose  the  rule  used  is: 


f  a  i->  fa 

Then  it  must  be  the  case  that  ej  is  of  the  form  f  a  (since  e\  =  x  is  already  handled)  and 
fi[t/x]  i->  fi  (for  some  /2).  Hence  the  induction  hypothesis  holds  for  f\.  Suppose  the  first  case 
holds:  there  exists  f2  such  that  for  any  closed  //.  fi[t'/x]  i— >  f2[t' /x].  Let  e2  —  f  a  and  suppose 
t'  is  closed.  Then: 

ex[t'/x)  =  {h[t'/x]){a[t'/x}) 

=  effl/x] 

Suppose  the  second  case  holds:  there  exist  f\  and  t'  such  that  f\  =  f[x/y],  t  i->  //  and  for  any 
closed  t ",  t/x,y\  ^4  f[[t",t'/x,y\.  Let  e[  =  fa  and  suppose  t"  is  closed.  Then: 

e[[t",t/x,y\  =  (f[t",t/x,y])(a[t",  t/x,y]) 

=  (f\\p" i  t/xi  y]){a\P"i  t'/x,  y])  (since  y  is  not  free  in  a) 

^  (/{[*",  t'/x,  y]){a[t",  t'/x,  y]) 

=  e([t",t'/x,y] 

□ 


Lemma  7  For  all  /,  ej  and  e2  (where  /  is  closed  and  x  is  the  only  free  variable  of  ei),  there  exist 
j  and  e'2  such  that  if  e\\fix{f)/x ]  1-4*  e2  then  e2  =  e'2[fix(f)/x]  and  for  all  k  >  j,  e'2[fk~i /x]  < 
ei  [/*/*]• 

Proof 

I  show  the  lemma  for  evaluations  of  length  exactly  one.  The  result  then  follows  by  induction 
on  the  length  of  the  evaluation  sequence,  summing  the  numbers  j. 

Use  Lemma  6.  Suppose  the  first  case  holds:  there  exists  e2  such  that  for  any  closed  t. 
eft/x]  e-f  e2[t/x].  Then  e\\fix(f)/x ]  i-^-  e2[fix(f)/x ]  and,  for  any  k,  e\ [fk/x]  1-^  c2[/*/*]. 
Thus  e2[fk~°/x]  <  e\ [fk/x\.  Suppose  the  second  case  holds:  there  exists  e\  such  that  e\  = 
e'fx/yl  and  for  any  closed  t,  e[[ t,fix(f)/x,y]  i-f  e[[t,  f(fix(f))/x,y\.  Let  e2  =  e[[fx/y]. 
Then  e1[fix(f)/x]  e'2\fix(f)/x}.  Suppose  k  >  1,  then  e'2[fk~l/x]  =  e'x[fk~x,fk/x,y]  < 
e[[fk,fk/x,y]  =  eff/x],  □ 

Theorem  8  For  all  /,  t  and  e  (where  /  is  closed),  if  V?.  e[f/x]  <  t,  then  e\fix(f)/x]  <  t. 

Proof 

By  induction  on  l  that  for  all  /,  t  and  e  (where  /  is  closed),  (Vj.  e[f/x ]  <  t)  =>•  e[fix(f)/x]  <1 1. 
The  result  follows  by  the  definition  of  <.  The  basis  is  trivial. 

Assume  the  induction  hypothesis  for  l  and  Vjr.  e[f/x]  <  t.  Let  a  be  a  substitution  such  that 
cr(e[fix(f) /x])  and  a(t)  are  closed  and  suppose,  without  loss  of  generality,  that  a  does  not 
substitute  for  x.  Then  a{e\fix(f) / x])  =  a(e)\fix(f)/x],  a(e[f/x])  =  cr(e)[ft/x]  (for  any  j),  and 
the  only  free  variable  of  a(e)  is  x.  Suppose  cr(e\jix(f)/x])  JJ.  e'.  By  Lemma  7,  e'  =  e"\fix(f)/x] 
and,  for  some  j  and  all  k  >  j,  e"[fk~i /x]  <  a(e)[fk /x].  Then,  by  assumption  and  transitivity, 
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Mk  >  j.e"[fk  i/x]  <  a(t).  Therefore,  changing  variables  to  replace  k-j  with  k,  e"[fk/x]  <  a(t) 
for  any  k. 

Let  e"  =  0(xi.ti, . .  .,xn.tn)  (and  suppose,  without  loss  of  generality,  that  x  does  not  appear 
in  any  x{).  Then  a(t)  ((  0(xi.t[, . . .,  xn.t'n)  where,  for  1  <  i  <  n  and  any  k,  U[fk/x]  < 
t\.  By  induction,  ti\fix(f)/x]  <\  t[,  for  any  i.  Therefore  o{e[fix(f)/x])  <;+i  a(t)  and  hence 
e\fiz(f)/x]  <i+i  t.  □ 

Lemma  17 


•  Adm(A  +  B  |  y  :  S)  if  Vs  €  S.  (A  +  B)[s/y }  type  and  Adm(A  |  y  :  S)  and  Adm(£  |  y  :  S). 

•  Adm(Sa;:A.B  |  y  :  S)  if  Vs  £  S.  (E x:A.B)[s/y]  type  and  E y.S.A  type  and  Adm(A  |  y  :  S)  and 
Adm(B[7r1(^),  7 r2(z)/y,  x]\  z  :  (Ey.S.A)) 

•  Adm(N|y  :  S) 

•  Adm(ai  =  a2  in  A\y  :  S)  if  Ms  £  S.  («i  =  a2  in  A)[s/y]  type  and  Adm(A  |  y  : S) 

•  Adm(A  |  y  :  S)  if  Ms  £  S.  A[s/y]  type  and  Adm(A  |  y  :  S) 

•  Adm(a  in\  A  \  y  :  S)  if  Vs  £  S.  (a  ini  A)[s/y]  type 

Proof 

I  show  the  product  and  equality  cases;  the  other  cases  are  similar  but  easier. 

Case  1:  For  the  product  case,  let  /,  t,  t'  and  e  be  arbitrary.  Suppose  £  S  and  j  is  such 
.that  Mk  >  j. cW  €  S  AtW  =  t'W  £  (Ex:A.B)[e^/y].  It  is  necessary  to  show  that  tH  =  £'M  £ 
(S x'.A.E)\e^ / y\.  Since  £  S}  it  follows  that  (E.t  :.4. B) [e^/y]  type.  Both  and  t'^  converge 

to  pairs,  so,  by  Corollary  5,  (I  (a,  b )  and  JJ.  (a1,  b')  for  some  terms  a,  b,  a'  and  b' .  To  get 
that  b  =  b'  £  B[e^/y][a/x],  it  suffices  to  show  that  7r2(fM)  =  n2(t'^)  £  B[e^/y][ni{t^)/x]. 
Rearranging,  it  suffices  to  show  equality  in  B[ni(z),ir2(z)/y,  a;][(e,7ri(f))M/V|. 

Since  Adm(B[7ri(.2),  7r2(z)/y,  a;]  |  2;  :  (Ey:5.A)),  it  suffices  to  show  that  (e,  7Ti(t))^  £  T,y:S.A 
and  Mk>j.(e,ir i(i))[fc]  €  Ey:S.A  A7r2(#l)  =  n 2(i,W)  €  J5[tti(^),  n2(z)/y,  x][(e,  ni(t))W/z).  The 
former  will  follow  from  a  £  A[e^/y]  and  the  supposition.  The  left  half  of  the  latter  also  follows 
from  the  supposition.  Rearranging  the  right  half,  it  suffices  to  show  that  7T2  (#1)  =  7T2(f'M)  <E 
B[e^ / y}[ni{t^) / x],  which  follows  from  the  supposition.  The  proof  that  a  =  a'  £  A[e^/y]  is 
similar  but  easier.  Hence  £  (E x:A.B)[e^/y]. 

Case  2:  For  the  equality  case,  again  let  /,  t,  t'  and  e  be  arbitrary.  Suppose  £  S  and  j 
is  such  that  Mk  >  j.  e  5  A  t^  =  f'M  £  (ai  =  a2  in  A)[e^/y].  It  is  necessary  to  show  that 
tM  =  f'M  g  («!  =  a2  in  A)[eM/y].  Since  6  5,  it  follows  that  (ai  =  a2  in  A)[e^A/y]  type. 
Both  and  tW  converge  to  *,  so,  by  Corollary  5,  and  f'M  converge  to  *.  It  remains  to 
show  that  a\[e^/y\  =  a2[e^/y]  £  A[e^/y].  Since  Adm(A  |  y  :  S),  it  suffices  to  show  that 
Mk  >  j.  eW  £  S  A  di[e^/y]  =  a2[e^/y]  £  A[e^/y].  This  follows  since  (ai  =  a2  in  A)[e^/y]  is 
inhabited  for  all  k  >  j.  □ 

Lemma  19  Adm(nz:A.B  \  y  :  S)  if  Ms  £  S.  (E x:A.B)[s/y]  type  and  WCoAdm(A  |  y  :  S)  sand 
Ms  £  S,a  £  A[s/y\.  Adm(B[a/a:]  |  y  :  S) 
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Proof 


Let  /,  t,  t'  and  e  be  arbitrary.  Suppose  €  S  and  j  is  such  that  Vk  >  j.  eM  G  S  A  £ 

(Iix:A.B)[e\ky y\.  I  need  to  show  that  =  t'M  G  (IIa;:A.B)[e^/y].  Since  G  5,  it  follows 
that  {Jlx\A.B)[e^ / y]  type.  Both  fb'l  and  t'^  converge  to  lambda  abstractions,  so,  by  Corollary 
5,  -0  A x.b  and  U-  \x.b'  for  some  terms  b  and  b'.  Suppose  a  =  a'  G  A[e^/y].  To  get  that 

b[a/x ]  =  b'W/x]  G  B[e^,a/y,  x ]  it  suffices  to  show  that  t^a  =  t'^a'  G  B[e^-W\  a/y,  x]. 

Since  G  S,  it  follows  that  A.<im{B[a/x]  \  y  :  S).  Therefore,  it  suffices  to  show  that  for  some 
j'  and  all  k  >  j',  t^a  =  t'^a'  G  B[e^k\  a/y,  «].  Since  WCoAdm(A  |  y  :  S),  there  exists  j"  such 
that  \fk  >  j".  a  =  a'  G  A[e^/y].  Therefore  j'  =  max(j,  j")  suffices.  □ 

Lemma  20 


•  A  +  B  is  (weakly)  coadmissible  for  y  in  S  if  Vs  G  S.  ( A  +  B)[s/y]  type  and  A  and  B  are 
(weakly)  coadmissible  for  y  in  5 

•  WCoAdm(£a;:A..B  |  y  :  S)  if  Vs  G  S.  (YiX\A.B)[s  /  y\  type  and  WCoAdm(A  |  y  :  S)  and  Vs  G 
S,  a  G  A[s/y].  WCoAdm(£[a/a:]  |  y  :  S) 

•  CoAdm(Ea;:A.£l  |  y  :  S)  if  Vs  G  5.  (£ x:A.B)[s/y]  type  and  E y.S.A  type  and  CoAdm(A  |  y  :  S) 
and  CoAdm(S[7r1(z),  7r2(2r)/y,  a]  |  z  :  (Ey:5.A)) 

•  N  is  strongly  or  weakly  coadmissible  for  y  in  any  S 

•  CoAdm(oi  =  a2  in  A  |  y  :  S)  if  Vs  G  S.  (oq  =  a2  *«  A)[s/y]  type  and  CoAdm(A  |  y  :  S) 

•  A  is  (weakly)  coadmissible  for  y  in  S'  if  Vs  G  S.  A[s/y]  type  and  A  is  (weakly)  coadmissible 
for  y  is  S 

•  a  ini  A  is  strongly  or  weakly  coadmissible  for  y  in  S  if  V.s  G  S.  ( a  ini  A)[s/y]  type 

Proof 

The  proof  is  largely  similar  to  the  preceding  proofs,  but  inverted.  I  show  the  proofs  for  full 
coadmissibility  of  products  and  partial  types. 

Case  1:  For  the  product  case,  let  /,  t,  t'  and  e  be  arbitrary.  Suppose  G  S,  j  is  such  that 
\/k  >  j.  eM  €  s,  and  =  t'H  G  (E x:A.B)[e^/y].  It  is  necessary  to  show  that  there  exists  j' 
such  that  Mk  >  j'.fW  =  t'M  G  (E x:A.B)[e^/y].  For  any  k  >  j,  (E x\A.B)[e^ / y]  type.  Both  tM 
and  t’^  converge  to  pairs,  so,  by  compactness,  there  exists  some  j"  such  that  for  all  k  >  j ",  #] 
and  t^  converge  to  pairs.  Thus  it  suffices  to  show  that  for  some  j1  >  max(j,  j")  and  all  k  >  j ', 
7Ti (i^)  =  7Ti(f'W)  G  A[eW/y]  an<i  ^2 (i^)  =  7T2 (f'W)  G  B[e^k\ni(t^)/y,x],  I  show  the  latter; 
the  former  is  similar. 

Rearranging,  it  suffices  to  show  equality  in  B[tti(z),  n2(z)/y,  x][{e,  ni{t))^ / z].  By  coadmissi¬ 
bility,  it  suffices  to  show  (e,7Ti(t))M  G  E  y.S.A  and  3 \j'".Vk  >  j"'.  (e,  7ri(f))tfc]  G  £  y.S.A  and 
7r2(t^)  =  7r2(t'^)  G  B[iri{z),'K2(z)/y,x][{e,‘Ki{t))^/z].  The  first  follows  from  the  supposi¬ 
tion  and  the  second  will  follow  from  7Ti  (#1)  G  A[e^/y]  and  the  supposition.  Rearranging  the 
third,  is  suffices  to  show  that  7r2(^J)  =  7 r2(t'M)  g  B[e^ / y][i:i(t^) / x],  which  follows  from  the 
supposition. 
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Case  2:  For  the  partial  type  case,  let  /,  t,  t'  and  e  be  arbitrary.  Suppose  £  S,  j  is 
such  that  \fk  >  j.e^  £  S,  and_tM  =  t' H  £  A[e^/y].J  need  to  show  that  there  exists  j' 
such  that  \/k  >  j'.t M  =  t'^  £  A[e^/y}.  For  any  k  >  j,  A[e^/y]  type.  Suppose  does  not 
converge.  (Note  the  non-constructivity  of  this  argument.)  Then  f'M  does  not  converge  and 
neither  does  #1  or  i'M  for  any  k  (since  #1  <  and  t'W  <  f'M  for  all  A:).  Thus  for  all  k  >  j, 
#1  =  t>m  e  A[eW/y\. 

Suppose  converges.  Then  £  A[e^/y],  By  coadmissibility,  there  exists  j'  such 

that  Vfc  >  j'.  tW  =  e  A[eW/y].  Hence  VA:  >  max(j,/).  #1  =  *'[*]  £  A[eW/y].  □ 


Lemma  22  (Predicate-admissibility  and  weak  and  full  coadmissibility  of  case  analysis.) 

Proof 

The  proof  follows  the  same  lines  as  those  of  Lemmas  17  and  20. 


Lemma  26  The  type  {x  :  A  |  B }  is  admissible  if: 

•  Adm(A),  and 

•  Adm(P  |  x  :  A),  and 

•  there  exists  b  such  that  b[a/x]  £  B[a/x]  whenever  a  e  A  and  3b'.  b'  £  B[a/x ]. 

Proof 

Let  /,  t  and  t1  be  arbitrary.  Suppose  j  is  such  that  VA:  >  j.t^  =  t'M  £  {#  :  A  \  B}.  Since 
{x  :  A  |  B)  is  inhabited  it  is  a  type.  Since  Adm(A),  =  i'M  £  A.  By  set  membership,  for 
all  k  >  j  there  exists  b’  such  that  V  £  B[tM/x\.  Thus  £  B[t^/x]  for  all  k  >  j.  Hence 

b[t^/x]  £  B[t^/x]  follows  by  predicate-admissibility.  □ 


Lemma  27  (Predicate-admissibility  of  set  types.) 

Proof 

The  proof  follows  the  same  lines  as  Lemma  26. 


Lemma  28  (Weak  and  full  coadmissibility  and  monotonicity  of  set  types.) 

Proof 

The  proof  follows  the  same  lines  as  Lemma  20  and  Proposition  25. 


Lemma  29  (Admissibility,  predicate-admissibility,  weak  and  full  coadmissibility  and  monotonicity 
of  quotient  types.) 
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Proof 


The  proof  follows  the  same  lines  as  the  proofs  for  the  set  type. 

Theorem  30  There  does  not  exist  an  algorithm  that  computes  an  integer  j  such  that  Vk  >  j.  t  = 
t'  £  TjeM/^L  when  given  S,  T,  /,  t ,  t',  e  and  i  such  that: 

•  Vs  £  S.T[s/x]  type 

•  CoAdm(T  |  x  :  5) 

•  eH  £  S 

•  Vk  >  i.  eW  £  S 

•  t  =  t'  £  T[e^/x] 

Proof 

Suppose  such  an  algorithm  exists.  Let  g  be  an  arbitrary  term  that  computes  a  total  function 
on  integers;  that  is,  g  £  N  — )■  N.  Given  the  algorithm,  we  may  effectively  determine  whether  g 
iterated  on  1  ever  computes  0,  which  is  certainly  undecidable.  Let  /  =  Ah.  An.  if  n  =a/  0  then 
0  else  h(gx)  and  let  h  =  fix(f).  Note  that  /  £  N  -f  N— >■  N— >-N  and  h  £  N-f N.  By  construction, 
g  iterated  on  1  computes  0  if  and  only  if  h(l)4~ 

We  will  use  the  algorithm  to  determine  an  upper  bound  on  the  number  of  recursive  calls  needed 
to  simulate  h.  Let  _ 

S  —  N 
T  —  x  in\  N 
/  =  as  above 
t,t'  =  let  y  =  h(l)  in  * 
e  =  «;(1) 

i  =  0 

Observe  that  =  h(  1)  and  eW  =  (fk)(  1),  so  the  first  four  preconditions  of  the  algorithm  are 
satisfied.  Moreover,  CoAd m  (7’  {  x  :  .S')  can  be  shown  constructively.  For  the  final  precondition, 
suppose  Then  h(l)J,  so  t  £  h{  1)  in\  N. 

Therefore  let  j  be  the  result  computed  by  the  algorithm.  I  show  that  f]  (1)1  exactly  when 
h(l)J,.  Since  fJ(  1)  approximates  h(  1),  it  follows  that  /J(l)4-  implies  h(l)|.  By  the  algorithm 
specification,  t  £  fi(  1)  in\  N.  If  h(l)|  then  t\.,  so  t  £  p(  1)  in\  N  and  consequently  /•’(1)4-. 

j  times 

/ - - s 

Let  h!  =  /(/  •  •  -f(Xy.l)  •••),  and  observe  that  /J  (1)4-  exactly  when  h'(  1)  0.  Consequently 

h(l)!  exactly  when  h'(l)  JJ-  0.  However,  h1  is  total,  so  we  may  decide  whether  h(l)J,  by  running 
h'( 1).  □ 
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